Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu

Automatically roll out IAM Root Access Management

With the introduction of root access management, AWS organisation owners can now securely manage root account credentials centrally. For some larger enterprises enabling this across the organisation is a slow and click heavy rollout. I will provide steps on how we can automate the enablement and rollout of this across an organisation.

Published Nov 26, 2024
Last Modified Nov 28, 2024
Managing root credentials at scale has always been a tiresome process, with the recommendation to use hardware MFA an added hurdle. We used to overcome this quite easily when engineers were in the office, an engineer would follow a simple, but time consuming process
  • Check out the hardware MFA key out of the safe location
  • Create the account - using IaC
  • Reset the password on the account - storing this in a centralised password manager
  • Log in to the account and set up the hardware MFA
  • Re-check the key back
When COVID hit, we adapted into a remote first way of working but this made it ever so difficult to manage and we felt we were always chasing down accounts to enable MFA. This eventually lead to our TAM's chasing us when accounts slipped out of the net.
The introduction of Root Access Management has eradicated this process and, once enabled, all newly created accounts are safe - even password reset functionality is disabled.
For older accounts, we can use the UI to manually remove the credentials across each account, but with a large number of accounts clicking around in the UI and manually enabling each account was not an option.
To roll this automatically I wrote a simple python application that will allow me to open up a cloudshell on the management account, check out a repo and leave it to it. It comes with skip flags for each item that is being removed and a dry mode to show what will happen across the org.
Usage example
1
2
3
git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management
cd root-account-management
python3 ./main.py
Skip signing certificates
1
2
3
git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management
cd root-account-management
python3 ./main.py --skip-signing-certificates
It's as simple as that, but if you want the details of how it works, continue reading.
The meaty bit - broken down
Essentially, what we are doing is - enabling root access management, iterating over each account, assuming root and running the disables.
Enabling root access management
1
2
3
aws organizations enable-aws-service-access --service-principal iam.amazonaws.com
aws iam enable-organizations-root-credentials-management
aws iam enable-organizations-root-sessions
Iterating each account and for each account:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
aws sts assume-root --target-principal <account_id> --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials --duration-seconds 900
# Use the credentials given in the next commands

aws iam get-login-profile
# if exists
aws iam delete-login-profile
aws iam list-access-keys
# iterate
aws iam delete-access-key --access-key-id <access_key_id>
aws iam list-signing-certificates
# iterate
aws iam delete-signing-certificate --certificate-id <certificate_id>
aws iam list-mfa-devices
# iterate
aws iam deactivate-mfa-device --serial-number <serial_number>
 

Comments

Log in to comment